The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Contents
The AutoSecure feature secures a router by using a single CLI command to disable common IP services that can be exploited for network attacks, enable IP services and features that can aid in the defense of a network when under attack, and simplify and harden the security configuration of the router.
AutoSecure enhances secure access to the router by configuring a required minimum password length to eliminate common passwords that can be common on many networks, such as “lab” and “company name.” Syslog messages are generated after the number of unsuccessful attempts exceeds the configured threshold.
AutoSecure also allows a router to revert (roll) back to its pre-AutoSecure configuration state if the AutoSecure configuration fails.
When AutoSecure is enabled, a detailed audit trail of system logging messages capture any changes or tampering of the AutoSecure configuration that may have been applied to the running configuration.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
The AutoSecure configuration was unavailable before Cisco IOS Release 12.3(8)T. If the router were to revert to an image prior to Cisco IOS Release 12.3(8)T, then ensure that a copy of the running configuration is saved before configuring AutoSecure.
The AutoSecure configuration can be configured at run time or setup time. If any related configuration is modified after AutoSecure has been enabled, the AutoSecure configuration may not be fully effective.
The management plane is secured by turning off certain global and interface services that can be potentially exploited for security attacks and turning on global services that help mitigate the threat of attacks. Secure access and secure logging are also configured for the router.
Caution | If your device is managed by a network management (NM) application, securing the management plane could turn off some services like the HTTP server and disrupt the NM application support. |
The following subsections define how AutoSecure helps to secure the management plane:
After enabling this feature (through the auto secure command), the following global services are disabled on the router without prompting the user:
Note | If you are using Cisco Configuration Professional (CCP), you must manually enable the HTTP server through the ip http server command. |
Caution | NM applications that use CDP to discover network topology are not able to perform discovery. |
After enabling this feature, the following per interface services are disabled on the router without prompting the user:
After AutoSecure is enabled, the following global services are enabled on the router without prompting the user:
Caution | If your device is managed by an NM application, securing access to the router could turn off vital services and may disrupt the NM application support. |
After enabling this feature, the following options in which to secure access to the router are available to the user:
Authorized access only This system is the property of ABC Enterprise Disconnect IMMEDIATELY if you are not an authorized user! Contact abc@xyz.com +99 876 543210 for help.
Note | After AutoSecure has been enabled, tools that use SNMP to monitor or configure a device is unable to communicate with the device through SNMP. |
The following logging options are available after AutoSecure is enabled. These options identify security incidents and provide ways to respond to them.
For more information on login system messages, see the Cisco IOS Release 12.3(4)T feature module Cisco IOS Login Enhancements .
To minimize the risk of attacks on the router forward plane, AutoSecure provides the following functions:
Note | CEF consumes more memory than a traditional cache. |
Note | At the beginning of the AutoSecure dialogue, you are prompted for a list of public interfaces. |
Caution | Although the auto securecommand helps to secure a router, it does not guarantee the complete security of the router. |
1.
enable
2. auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables higher privilege levels, such as privileged EXEC mode. Enter your password if prompted. |
Step 2 |
auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]
Example: Router# auto secure |
A semi-interactive dialogue session begins to secure either the management or forwarding planes on the router when the management or forwarding keyword is selected. If neither option is selected, then the dialogue asks for both planes to be configured. If the management keyword is selected, then the management plane is secured only. If the forwarding keyword is selected, thenthe forwarding plane is secured only. If the no-interact keyword is selected, then the user is not prompted for any interactive configurations. If the full keyword is selected, then user is prompted for all interactive questions, which is the default. |
1.
enable
2.
configure
terminal
3.
enable
password
{password | [encryption-type ]
encrypted-password }
4.
security
authentication
failure
rate
threshold-rate
log
5.
exit
threshold-rate
log
6.
show
auto
secure
config
The following example is a sample AutoSecure dialogue. After you enable the auto secure command, the feature automatically prompts you with a similar dialogue unless you enable the no-interact keyword. (For information on which services are disabled and which features are enabled, see the sections, “Securing the Management Plane” and “Securing the Forwarding Plane” earlier in this document.)
Router# auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks *** All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Is this router connected to internet? [no]:y Enter the number of interfaces facing internet [1]: Interface IP-Address OK? Method Status Protocol FastEthernet0/1 10.1.1.1 YES NVRAM up down FastEthernet1/0 10.2.2.2 YES NVRAM up down FastEthernet1/1 10.0.0.1 YES NVRAM up up Loopback0 unassigned YES NVRAM up up FastEthernet0/0 10.0.0.2 YES NVRAM up down Enter the interface name that is facing internet:FastEthernet0/0 Securing Management plane services.. Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp Enable secret is either not configured or is same as enable password Enter the new enable secret:abc123 Configuring aaa local authentication Configuring console, Aux and vty lines for local authentication, exec-timeout, transport Configure SSH server? [yes]: Enter the domain-name:example.com Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces Securing Forwarding plane services.. Enabling CEF (it might have more memory requirements on some low end platforms) Enabling unicast rpf on all interfaces connected to internet Configure CBAC Firewall feature? [yes/no]:yes This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd security passwords min-length 6 security authentication failure rate 10 log enable secret 5 $1$CZ6G$GkGOnHdNJCO3CjNHHyTUA. aaa new-model aaa authentication login local_auth local line console 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet ip domain-name example.com crypto key generate rsa general-keys modulus 1024 ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh telnet service timestamps debug datetime localtime show-timezone msec service timestamps log datetime localtime show-timezone msec logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered int FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled int FastEthernet1/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled int FastEthernet1/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled int FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled ip cef interface FastEthernet0/0 ip verify unicast reverse-path ip inspect audit-trail ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 access-list 100 deny ip any any interface FastEthernet0/0 ip inspect autosec_inspect out ip access-group 100 in ! end Apply this configuration to running-config? [yes]:yes Applying the config generated to running-config The name for the keys will be:ios210.example.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys ...[OK] Router#
Related Topic |
Document Title |
---|---|
Login functionality (such as login delays and login blocking periods) |
Cisco IOS Login Enhancements feature module |
Additional information regarding router configuration |
Cisco IOS Configuration Fundamentals Configuration Guide , Release 12.4T |
Additional router configuration commands |
Cisco IOS Configuration Fundamentals Command Reference Guide |
RFCs |
Title |
---|---|
RFC 1918 |
Address Allocation for Private Internets |
RFC 2267 |
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
AutoSecure |
12.3(1) 12.2(18)S 12.3(8)T 12.2(27)SBC |
The AutoSecure feature uses a single CLI command to disable common IP services that can be exploited for network attacks, enable IP services and features that can aid in the defense of a network when under attack, and simplify and harden the security configuration on the router. In Cisco IOS Release 12.3(1)S, this feature was introduced. This feature was integrated into Cisco IOS Release 12.2(18)S. In Cisco IOS Release 12.3(8)T, support for the roll-back functionality and system logging messages were added. This feature was integrated into Cisco IOS Release 12.(27)SBC. The following commands were introduced or modified: auto secure , security passwords min-length, show auto secure config . |